From c9734b6d7bcb8ba69295bba07bb54697fb992a93 Mon Sep 17 00:00:00 2001
From: jwfang <54740235@qq.com>
Date: Tue, 4 Jul 2017 20:03:55 +0800
Subject: [PATCH] run calico-policy-controller with proper sa/role/rolebinding

---
 .../policy_controller/calico/tasks/main.yml   | 25 +++++++++++++++++++
 .../calico-policy-controller-clusterrole.yml  | 16 ++++++++++++
 ...o-policy-controller-clusterrolebinding.yml | 12 +++++++++
 .../templates/calico-policy-controller-sa.yml |  7 ++++++
 .../templates/calico-policy-controller.yml.j2 |  3 +++
 5 files changed, 63 insertions(+)
 create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
 create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
 create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml

diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index 8b4271d6a..02aac8988 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,6 +3,31 @@
   when: kube_network_plugin == 'canal'
   tags: [facts, canal]
 
+- name: Lay Down calico-policy-controller Template
+  template:
+    src: "{{item.file}}"
+    dest: "{{kube_config_dir}}/{{item.file}}"
+  with_items:
+    - {name: calico-policy-controller, file: calico-policy-controller-sa.yml, type: sa}
+    - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
+    - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
+  register: manifests
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+  tags: canal
+
+- name: Create calico-policy-controller Resources
+  kube:
+    name: "{{item.item.name}}"
+    namespace: "{{ system_namespace }}"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "{{item.item.type}}"
+    filename: "{{kube_config_dir}}/{{item.item.file}}"
+    state: "{{item.changed | ternary('latest','present') }}"
+  with_items: "{{ manifests.results }}"
+  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+  tags: canal
+
 - name: Write calico-policy-controller yaml
   template:
     src: calico-policy-controller.yml.j2
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
new file mode 100644
index 000000000..3b71b9001
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
@@ -0,0 +1,16 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+    verbs:
+      - watch
+      - list
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
new file mode 100644
index 000000000..535865f01
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-policy-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-policy-controller
+subjects:
+- kind: ServiceAccount
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
new file mode 100644
index 000000000..388f12977
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}
+  labels:
+    kubernetes.io/cluster-service: "true"
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
index 322d3a37b..9639fed82 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
@@ -60,3 +60,6 @@ spec:
       - hostPath:
           path: {{ calico_cert_dir }}
         name: etcd-certs
+{% if rbac_enabled %}
+      serviceAccountName: calico-policy-controller
+{% endif %}
-- 
GitLab